Being in the industry, I understand how difficult it is to secure an organization, so I have some sympathy for Equifax. As an ex-NSA colleague noted (paraphrasing), “A defender has to protect everything, an attacker only has to find one hole.” That said, their business is PII, so there is a higher standard there.

In the end my concern is less that the hack happened, than the difficulty in navigating their site and ultimately receiving the credit protection. First of all, the initial page they are telling “customers” isn’t intuitive:

Then when you do sign up, they tell you you’ll have to wait for roughly a week then sign up at a different URL. You had better write down the URL because they say, “you will not receive additional reminders”. The URL, if you made the mistake of not writing it down is:

Then “click through the link to continue through the enrollment process”. What link that is, god knows.

In fact if you click the above “faq.trustedidpremier.com” today, it goes back to, well, “www.equifaxsecurity2017.com”, which I assume then you are supposed to click the “ENROLL” button on the bottom???:

Plixer provides a VMware OVF for installation of a virtual appliance. I, however, ran into a few issues with the installation:

I couldn’t get the install to work OVF through vCenter successfully, or at least vCenter 6.5. It would install, but when I booted it would come up to a PXE boot, rather than CentOS which the appliance runs on. The answer was to install it through the Windows vSphere ESXi client or through the web vSphere ESXi client.

Setting up SSL (HTTPS) during the initial install prompts wouldn’t work. Everything seemed fine, but on final boot of the Scrutinizer appliance, the HTTP/HTTPS wouldn’t come up at all. It turned out it hadn’t actually generated the certificates and files were missing. The answer is to select “no” to SSL in the initial dialog, then when fully up, log in using the “plixer” login and use the “set ssl on” option after the fact. SSL then works correctly afterwards.

By default it will bind to IPv6 ports and not to IPv4 ports (!) to listen for Netflow data. The solution is to log into the Scrutinizer server/guest as root and disable IPv6 per this document. Specifically, I recommend the “/etc/sysctl.conf” change as it is relatively simple to execute.

When logged in as “root”, doing a “yum update” is useful, though I would do the following bullet after.

When logged in as “plixer”, it’s useful to run the “set tuning” as well as “update packages”, though oddly it seems to run back one of the kernel updates from the last bullet.

Now I just need to figure why I’m still not seeing the packets from the ASA…

Because Ubuntu has a mix of utilities to manage packages I constantly seem to be forgetting the options I need when I go to do basic package management. Mostly for my sake are the ones I use most regularly:

Professor Alan Woodward from the Department of Computer Science at the University of Surrey via The Register:

“Educate users not to open files that they are not expecting. Practice your ABCs – Assume nothing. Believe no one, and Check everything should be drummed into users – personally I preach ABCD – if in any doubt Delete.”

I purchased some used Cisco C1140 autonomous access points for my home network (autonomous meaning not lightweight or requiring a WLC). While everything seemed to be fine at first, later we noticed that printouts to our Canon laser printer were no longer working from our Macs. After some research I realized that the Macs were failing to locate the printer due to Apple Bonjour protocol issues. Google searches led to partial solutions, but most required a downgrade of the AP IOS – a no, no as a security professional.

I had an old Dell PERC 5i/R RAID card laying around and wanted to use it for a home lab ESXi box (note: also works on Dell PERC H200). The card isn’t amazingly high performance, but it it’s good enough for simple RAID. Well, that is, it’s good enough performance if you change the settings. By default “write caching” is disabled – that unfortunately includes even “write caching” on the drives themselves (5i/R doesn’t have cache so it’s always “Write Through”, the H200 has cache, but is disabled by default). Therefore by default write performance is downright painful.

Fortunately it’s not too difficult to fix if you can pull together the right tools. I was lucky enough to find a post by “tonyd88” on this Dell support forum which explains the process. Below, I attempt to summarize the steps for posterity.

WARNING: If you enable write caching on the 5i/R or H200, because of the lack of battery backup (BBU) there is a risk that if you lose power mid-write, you will corrupt your disk, OS, etc. Not only use at your own risk, but ideally at least have a UPS on your system.

Steps:

Locate a copy of “LSIUtil.exe”. The Dell RAID 5i/R was made by LSI. LSI was sold to Avago Technologies and a copy of it appears to be here, but you may need to look around in Avago’s legacy driver downloads. The latest version I have found is 1.62.

You’ll need to create a DOS boot disk or thumb drive with the LSIUtil.exe on it. Unfortunately explaining how to do that is a bit beyond the scope of this article. Google is your friend.

It is likely you will need “DOS4GW.EXE” also on the boot disk. You’ll have to find a reputable download or buy it here. This may be a potential alternative.

Install the Dell 5i/R RAID card in the system and boot to your newly created DOS boot disk/drive.

Run the LSIUtil.exe binary.

Select your controller. Hopefully there will only be one, but otherwise you’ll have to figure it out. Choose the number that matches and hit <enter>.

Because the libraries don’t exist, necessary certificates don’t get generated, and even re-running the installer from the application directory won’t solve it (including with the below hack). What you need to do is ensure the libraries will be there when the installer gets to the “Running package scripts…” section on initial install.

There are a number of possible solutions, but the below seems the cleanest and doesn’t require multiple installs.

This will create a hack to allow the packaged libraries to be used when the package scripts get run. If it’s working correctly the “Running package scripts…” will take many minutes to run as it executes “openssl” to generate the following:

If it instead installs very quickly, you can be fairly certain it didn’t install correctly and probably VMware has changed something yet again. If it works, you can both upload files and deploy OVF files.

Hopefully VMware will create a permanent fix. More on why this plugin is required can be found here. How to install/upgrade the plugin itself can be found here.

The problem is, they are also suggesting you disable a fundamental OS protection temporarily as well. That is a major PIA and sadly doesn’t seem to work on macOS Sierra. I can use OVFs, but I can’t do file uploads. Apparently there is a integrated ESXi HTTP client that some are working on here (via here) that seems to offer some options. This has been a problem for over a year now…

Sometimes you don’t know when an RPM was installed – maybe it was updated, maybe it came with the system. In any case, it can be handy when debugging or even for auditing purposes. This gives an example of getting the install time for the “filesystem” package:

Really all you need is the “%{installtime:date}\n”, but the name can be handy if you want to use it with “-qa” (query all). Also can be handy to put “%{installtime}” (gives seconds since epoch) on the front and run it through “sort -n” to find out order of install.

Recent Posts

My Resume

I've worked in professionally in the systems, networking, security, and programming arenas for the last 25+ years, much of it in leadership or management roles. I am equally comfortable in highly technical “hands on” scenarios as with interacting with executives to drive projects forward.

My resume and other information about my experience can be found here and here.

Bookshelf

Caveat Emptor

The views expressed here are strictly my own and do not represent those of my employer, its officers, nor any other organization.